Open Bug 1649479 Opened 4 years ago Updated 2 years ago

Assertion failure: isAzimuthGood, at /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFPanner.cpp:147

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- affected
firefox80 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.zip
940 bytes, application/zip
Details
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev adc328596e28 (built with --enable-debug).

Assertion failure: isAzimuthGood, at /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFPanner.cpp:147

rax = 0x00007fbad1b3464b   rdx = 0x0000000000000000
rcx = 0x000055d1a09b3a58   rbx = 0x000055d1a25cd050
rsi = 0x00007fbae2d728b0   rdi = 0x00007fbae2d71680
rbp = 0x00007fbab28bbd00   rsp = 0x00007fbab28bb830
r8 = 0x00007fbae2d728b0    r9 = 0x00007fbab28bd700
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000055d1a279b4a0   r13 = 0x00007fba28001f00
r14 = 0x000055d1a279b7b0   r15 = 0x00007fbab28bbd68
rip = 0x00007fbacbb6f9cf
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|35
35|0|libxul.so|WebCore::HRTFPanner::pan(double, double, mozilla::AudioBlock const*, mozilla::AudioBlock*)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/blink/HRTFPanner.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|147|0x29
35|1|libxul.so|mozilla::dom::PannerNodeEngine::HRTFPanningFunction(mozilla::AudioBlock const&, mozilla::AudioBlock*, long)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/PannerNode.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|403|0x34
35|2|libxul.so|mozilla::dom::PannerNodeEngine::ProcessBlock(mozilla::AudioNodeTrack*, long, mozilla::AudioBlock const&, mozilla::AudioBlock*, bool*)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/PannerNode.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|205|0x26
35|3|libxul.so|mozilla::AudioNodeTrack::ProcessInput(long, long, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/media/webaudio/AudioNodeTrack.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|533|0xd
35|4|libxul.so|mozilla::MediaTrackGraphImpl::ProduceDataForTracksBlockByBlock(unsigned int, int)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1116|0x26
35|5|libxul.so|mozilla::MediaTrackGraphImpl::Process(mozilla::AudioMixer*)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1282|0xb
35|6|libxul.so|mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*)|hg:hg.mozilla.org/mozilla-central:dom/media/MediaTrackGraph.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1409|0xb
35|7|libxul.so|mozilla::GraphRunner::Run()|hg:hg.mozilla.org/mozilla-central:dom/media/GraphRunner.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|114|0x15
35|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1234|0xe
35|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|504|0xc
35|10|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|332|0x13
35|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
35|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
35|13|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|447|0x8
35|14|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:adc328596e28636b03fabe701ec6a4d07054e5af|201|0x7
35|15|libpthread.so.0||||0x76db
35|16|libc.so.6||||0x12188f
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200630144559-933c9f34edfa.
The bug appears to have been introduced in the following build range:
> Start: d9b1730b8cb3dc48601abcd6c768a3c18aa62da0 (20191122153209)
> End: 29ecee49005452f5b675b8a2a6eccd2ffa9239a2 (20191122153337)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d9b1730b8cb3dc48601abcd6c768a3c18aa62da0&tochange=29ecee49005452f5b675b8a2a6eccd2ffa9239a2

This testcase would not function before changes for bug 1572627, but I expect there would have been other ways to trigger this before those changes.

Severity: normal → S3

The code has a path to handle this situation, so we could safely remove the assert, but there may be a problem with the azimuth calculation.

can I work on this bug?

Yes, if you can find out where the azimuth calculation is not behaving as expected, that would be great, thanks.
There are same contribution docs that may be helpful.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210529034309-98e96a91bbe4) but not with tip (mozilla-central 20220528091325-c7f47d9896aa.)
The bug appears to have been fixed in the following build range:

Start: 40e36555b6e25170ce7828bfe83e4b6c3dbce773 (20220524123013)
End: 2e26130ab9d239492d15e5b1ec04df14df4bf298 (20220524123104)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=40e36555b6e25170ce7828bfe83e4b6c3dbce773&tochange=2e26130ab9d239492d15e5b1ec04df14df4bf298
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Setting regressed_by field after analyzing regression range found by bugmon.

Regressed by: 1572627

Set release status flags based on info from the regressing bug 1572627

status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox103: --- → affected
status-firefox-esr91: --- → affected

Set release status flags based on info from the regressing bug 1572627

status-firefox104: --- → affected
status-firefox-esr102: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: